CSU System C logo

Internal Audit supports the mission of the CSU System by providing an independent and objective assurance and consulting activity.

Internal Audit adds value by bringing a systematic, disciplined approach to evaluation of the effectiveness, efficiency, and application of accounting, financial, and other internal controls necessary to accomplish System and institutional objectives in compliance with policies and procedures, regulatory requirements, and sound business practices.


All employees of the CSU System or a System institution have an affirmative obligation to report suspected fraud. Reports should be made to the Compliance Reporting Hotline (1-855- 263-1884) or directly to Internal Auditing or Office of General Counsel. Reports may be made anonymously. Reports must be made in good faith based on a reasonable belief that fraud may have occurred; a legal certainty is not required. A supervisor or administrator who receives a report of suspected fraud from an employee likewise has an obligation to report it to the Compliance Reporting Hotline, Internal Auditing, or the Office of General Counsel. The supervisor or administrator may make initial inquiries to the matter reported, but shall not independently initiate or conduct an investigation.



Determine objectives, scope, timing, and resources.


Test processes, transactions, and controls. Analyze test results and formulate conclusions.


Communicate audit results to audit client, management, Audit Committee, and stakeholders.


Review management actions in response to recommendations to ensure they are complete and sufficient to mitigate the concern noted.


A system of internal control comprises the plan of organization and all of the coordinate methods adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies. This definition recognizes that a system of internal control extends beyond matters which relate directly to the functions of the accounting and financial departments.

Simply put, internal controls are anything we do to help us achieve our objectives. Everyone uses internal controls in their typical daily activities, such as:

  • Did you lock your doors at home before leaving for work?
    • Probably so, because you wanted to protect the assets in your home from theft.
  • Do you write your PIN number on your debit card?
    • Probably not, because you know if you lose your card, someone else could use it..
  • Do you balance your bank statement each month?
    • Hopefully, because it ensures you know the correct balance in your account, ensures no one has inappropriately accessed your funds, and ensures that the bank has not made mistakes in their records.

The items above are examples of your personal internal control system. These are things you do to achieve your objectives in your own business and life. Many of these are logical, common-sense things you do every day without thinking about it. Just as we apply these things to our personal internal control system, we want to apply relevant controls to the University’s business and operational processes.

As previously noted, the primary purpose is to help us achieve our objectives. Typically, internal controls are noted for having four primary purposes:

  1. Protect the University’s assets
  2. Ensure records are accurate
  3. Promote operational efficiency
  4. Encourage adherence to policies and procedures

Generally speaking there are two types: preventative and detective DzԳٰDZ.

Preventative Controls are designed to discourage errors or irregularities from occurring. (Example: processing vouchers only after approval signatures have been obtained.)

Detective Controls are designed to find errors or irregularities after they have occurred. (Example: reconciling monthly account statements.)

  • Perform a self-assessment of your controls. Contact Internal Auditing for assistance in this process.
  • Request an internal control training session. Internal Auditing performs training on internal controls and what we believe are minimum requirements. Contact the Director of Internal Auditing if you would like a presentation on this topic for your unit.

The establishment and maintenance of acceptable business practices, as well as adequate and effective internal controls, are the responsibility of management. Managers are responsible for internal control policies and procedures specific to their unit or department. Every employee in the organization plays a part in the internal control system. All personnel are responsible for communicating operational problems in addition to complying with internal and external policies and regulations.

Internal Audit is not responsible for internal controls, but plays a significant role in recommending controls and providing consultation and advice on controls.


The Internal Auditing office provides the Board of Governors with an independent, objective assurance, and consulting activity designed to add value and improve the University’s operations. We do this by systematically evaluating the effectiveness of risk management, control, and governance processes.

As an expression of the commitment of the CSU System management and the CSU System Board of Governors to effective, efficient, and ethical operations, the Internal Auditing Department was created in 1967. It is charged with examining and evaluating the policies, procedures, and systems in place to ensure: the reliability and integrity of information; compliance with policies, plans, laws, and regulations; the safeguarding of assets; and, the responsible and efficient use of resources.

Internal Auditing has a solid-line reporting relationship to the Board of Governors’ Audit and Finance Committee. In order to promote effective management, the Director also reports to the Chancellor for purposes of administration and for assurance of adequate and appropriate consideration of audit findings within the organization.

No, all employees of the Internal Auditing department are CSU System employees. However, the offices are located on the campuses of CSU and CSU Pueblo, so the team can be a part of the campus communities.

Yes, an external auditor audits the combined financial statement of the CSU System annually. In addition, the State of Colorado Auditor’s Office may audit areas of each institution. Auditors from federal, state, or other external agencies may be on campus reviewing programs or research they have funded. Auditors working on campus should be able to appropriately identify themselves. If you have any questions regarding auditors’ work or requests for information, reach out at any time.

Audit projects are selected to help the institutions reach their goals. Most audits are chosen based on risk factors (such as the size of the unit, its inherent complexity, its resources, recent changes in management or organizational structure). Internal Auditing performs an annual risk assessment to develop the audit plan proposed to the CSU System Board of Governors for approval.

The length of time it takes to complete an audit varies significantly, depending on the size, complexity and strength of the area’s internal controls. Some take as little as a couple of weeks and others can take several months. The audit is a dynamic process, the scope of which can be expanded or reduced at any time depending on the issues.

During the initial audit meeting, or entrance conference, the group will discuss the audit schedule, try to accommodate time constraints, and be respectful of job responsibilities. The team will meet with key personnel and others in the department, only as needed. Much of the work, such as audit planning and report writing, is done without having to take time of the team facing the audit.

Primarily compliance with university policies and sound internal controls. Following policies helps protect the university from unnecessary risks and help ensure consistent, sound business practices. Auditors regularly make recommendations to implement a control even though it may not be specifically required by policy.

Learn about the audit process (above).

Auditors will share findings throughout the course of the audit. If an issue is identified during the audit where improvements can be made in operations or internal control, it will be described in the audit report, along with a recommendation to improve internal control or implement changes. The issues and a draft of the report will be discussed with unit management to ensure that the information is accurate. All recommendations will be thoroughly discussed, and management will be asked to develop a plan to address any issues noted in the recommendations, and identify a target date for implementation. Management’s response to recommendations will be included in the audit report.

An audit report is issued to those in a position to see that corrective actions are taken, as well as leadership who may need to be aware of the report.. Standard audit reports are addressed to the President of the institution.

Copies of the Audit Report and Executive Summary are sent to the following:

  • Members of the Board of Governors’ Audit and Finance Committee,
  • CSU System Chancellor,
  • The division vice president responsible for the audited area,
  • The auditee,
  • Any other official who is responsible for corrective action on recommendations,
  • CSU System Chief Financial Officer and Deputy Chief Financial Officer,
  • The University Controller/Campus Audit Liaison,
  • The CSU System Office of General Counsel, and
  • Any other officials deemed appropriate by the Internal Auditing Department.

Copies of the Executive Summary of the Audit Report are sent to the following:

  • CSU System Chancellor,
  • CSU System General Counsel,
  • CSU System Chief Financial Officer, and
  • The members of the Board of Governors.

The office considers requests for audit work, although ability to perform the audit might be affected by staffing levels or current obligations. The office may review your concern within the audit risk assessment process and consider it for the next year’s audit plan.

Internal Auditing Department
Colorado State University
301 Johnson Hall
Campus Delivery 0019
Fort Collins, CO 80523

Susy Serrano
Director, Internal Auditing
301 Johnson Hall
Campus Delivery 0019